Microsoft has patched a fresh security vulnerability in Exchange Server that enables attackers to bypass authentication and snoop on employee emails.
The high severity flaw (CVSS 7.3) means unauthenticated assailants can install a forwarding rule on victims’ mailboxes that forwards incoming emails to their own account, according to a blog post published yesterday (August 30) by the Zero Day Initiative (ZDI).
Dubbed ‘ProxyToken’, the flaw (CVE-2021-33766) was reported to the Zero Day Initiative in March 2021 by Le Xuan Tuyen of the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC). Microsoft released a patch in July.
The disclosure is the latest in a string of serious vulnerabilities to surface in the market-leading enterprise mail server and follows a recent barrage of attacks targeting systems unpatched against ‘ProxyShell’ vulnerabilities.
Security researchers at Huntress Labs have found LockFile ransomware payloads and more than 200 hidden webshells among more than 4,000 Exchange servers since the Cybersecurity and Infrastructure Security Agency (CISA) urged users to update their systems on August 21.
Authentication delegation
The latest vulnerability relates to the ‘Delegated Authentication’ mechanism and impacts deployments in their default configuration.
Delegated Authentication means Microsoft Exchange’s front-end client for Outlook Web Access (OWA) and Exchange Control Panel (ECP) delegates the authentication of requests within /ecp to the back end if it finds a non-empty cookie named SecurityToken.
Le Xuan Tuyen found that, in installations not configured to use Delegated Authentication, “a <remove> element appears” in the /ecp/web.config on the back end, “so that the module DelegatedAuthModule will not be loaded at all for the back-end ECP site”, explained ZDI security researcher Simon Zuckerbraun.
In layman’s terms, this means the front end is informed that responsibility for authenticating the request lies with the back end – which is oblivious to the obligation.
“The net result is that requests can sail through, without being subjected to authentication on either the front or back end,” said Zuckerbraun.
The exploit requires that attackers have an account on the target Exchange Server – except for installations where administrators have permitted “forwarding rules with arbitrary internet destinations”, said Zuckerbraun.
“Furthermore, since the entire /ecp site is potentially affected, various other means of exploitation may be available as well,” he added.
‘Amazingly fertile area’
Exchange Server’s “enormous complexity, both in terms of feature set and architecture”, makes it “an amazingly fertile area for vulnerability research”, said Zuckerbraun.
This comment echoed similar sentiments expressed recently by fellow researcher Orange Tsai in relation to his ‘ProxyShell’, ‘ProxyOracle’, and ‘ProxyLogon’ exploits at Black Hat USA 2021.
Describing Exchange Server as “a buried treasure”, Tsai said ‘ProxyLogon’, which was involved in the compromise of hundreds of thousands of enterprise messaging servers in March, was potentially “the most severe vulnerability in the history of Microsoft Exchange”.
The Daily Swig has contacted Microsoft and the ZDI for further comment. we will update the article if comments are forthcoming.
Source: https://portswigger.net/daily-swig/microsoft-exchange-server-had-proxytoken-vulnerability-that-leaked-incoming-emails